SlideShare a Scribd company logo
1 of 44
Download to read offline
Ruby on Rails Security




Jonathan Weiss, 30.12.2007
Peritor Wissensmanagement GmbH
Who am I ?

Jonathan Weiss

• Consultant for Peritor Wissensmanagement GmbH
• Specialized in Rails, Scaling, and Code Review
• Active member of the Rails community
• MeinProf.de - one of the first big German Rails sites
• Webistrano - Rails deployment tool
• FreeBSD Rubygems and Ruby on Rails maintainer




                                                         2
Agenda



                              Follow the application stack
                              and look for
 Setup and deployment


                            • Information leaks
 Application code
                            • Possible vulnerabilities
                            • Best practices
 Framework code


  Rails Application Stack




                                                             3

                                                                 3
Rails Application Setup




                          4
Rails Setup




              5
Rails Setup - FastCGI




                        6
Rails Setup - Mongrel




                        7
Information leaks
          and
possible vulnerabilities




                           8
Information leaks

Is the target application a Rails application?
 • Default setup for static files:
     /javascripts/application.js
     /stylesheets/application.css
     /images/foo.png


 • Pretty URLs
     /project/show/12
     /message/create
     /folder/delete/43
     /users/83



                                                 9
Information leaks

Is the target application a Rails application?
 • Rails provides default templates for 404 and 500 status pages
 • Different Rails versions use different default pages
 • 422.html only present in applications generated with Rails 2.0




                                                                    10
Sample Status Pages
 http://www.twitter.com/500.html      http://www.43people.com/500.html




http://www.strongspace.com/500.html   Rails >= 1.2 status 500 page




                                                                         11
Server Header

GET http://www.43people.com

Date: Tue, 25 Dec 2007 21:23:24 GMT
Server: Apache/1.3.34 (Unix) mod_deflate/1.0.21 mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e-p1
Cache-Control: no-cache
…



GET https://signup.37signals.com/highrise/solo/signup/new

Date: Tue, 25 Dec 2007 21:23:24 GMT
Server: Mongrel 1.1.1Status: 200 OK
…

                                                                       Disable Server header
                                                                          # httpd.conf
                                                                          Header unset Server




                                                                                                     12
Information leaks

Subversion metadata
  • Typically Rails applications are deployed with Capistrano / Webistrano
  • This will push .svn directories to the servers



GET http://www.strongspace.com/.svn/entries

…
dir
25376
http://svn.joyent.com/joyent/deprecated_repositories/www.strongspace/trunk/public
http://svn.joyent.com/joyent
                                                                            Prevent .svn download
2006-04-14T03:06:39.902218Z                                                     <DirectoryMatch quot;^/.*/.svn/quot;>
34                                                                               ErrorDocument 403 /404.html
                                                                                 Order allow,deny
justin@joyent.com
                                                                                 Deny from all
…
                                                                                 Satisfy All
                                                                                </DirectoryMatch>

                                                                                                                 13
Cookie Session Storage

Since Rails 2.0 by default the session data is stored in the cookie




Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA)




                                                                      14
Cookie Session Storage

Security implications
 • The user can view the session data in plain text
 • The HMAC can be brute-forced and arbitrary session data could be created
 • Replay attacks are easier as you cannot flush the client-side session



Countermeasures
 • Don’t store important data in the session!
 • Use a strong password,
   Rails already forces at least 30 characters
 • Invalidate sessions after certain time on the server side


 … or just switch to another session storage
                                                                              15
Cookie Session Storage

Rails default session secret




Set HTTPS only cookies




                               16
Cross-Site Scripting - XSS



“The injection of HTML or client-side Scripts (e.g. JavaScript) by malicious users into
web pages viewed by other users.”




                                                                                          17
Cross-Site Scripting - XSS


Cases of accepted user input
 • No formatting allowed
    search query, user name, post title, …


 • Formatting allowed
    post body, wiki page, …




                                             18
XSS - No Formatting Allowed

Use the Rails `h()` helper to HTML escape user input




But using `h()` everywhere is easy to forget
 • Use safeERB plugin
 • safeERB will raise an exception whenever a tainted string is not escaped
 • Explicitly untaint string in order to not escape it


 http://agilewebdevelopment.com/plugins/safe_erb


                                                                              19
XSS - Formatting Allowed

Two approaches


 Use custom tags that will translate to HTML (vBulletin tags, RedCloth, Textile, …)




 Use HTML and remove unwanted tags and attributes
    • Blacklist - Rails 1.2
    • Whitelist - Rails 2.0




                                                                                      20
XSS - Custom Tags

Relying on the external syntax is not really secure




              Filter HTML anyhow




                                                      21
XSS - HTML Filtering

Use the Rails `sanitize()` helper




Only effective with Rails 2.0:
  • Filters HTML nodes and attributes
  • Removes protocols like “javascript:”
  • Handles unicode/ascii/hex hacks



                                           22
XSS - HTML Filtering

sanitize(html, options = {})




http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html

                                                                            23
XSS - HTML Filtering

Utilize Tidy if you want to be more cautious




                                               24
Session Fixation



Provide the user with a session that he shares with the attacker:




                                                                    25
Session Fixation

Rails uses only cookie-based sessions


Still, you should reset the session after a login




The popular authentication plugins like restful_authentication are not doing this!

                                                                                     26
Cross-Site Request Forgery - CSRF



You visit a malicious site which has an image like this




Only accepting POST does not really help




                                                          27
CSRF Protection in Rails



By default Rails 2.0 will check all POST requests for a session token




All forms generated by Rails will supply this token

                                                                        28
CSRF Protection in Rails


Very useful and on-by-default, but make sure that
 • GET requests are safe and idempotent
 • Session cookies are not persistent (expires-at)




                                                     29
SQL Injection


The users input is not correctly escaped before using it in SQL statements




                                                                             30
SQL Injection Protection in Rails


Always use the escaped form




If you have to manually use a user-submitted value, use `quote()`




                                                                    31
JavaScript Hijacking

http://my.evil.site/




 JSON response




The JSON response will be evaled by the Browser’s JavaScript engine.
With a redefined `Array()` function this data can be sent back to http://my.evil.site
                                                                                       32
JavaScript Hijacking Prevention

 • Don’t put important data in JSON responses
 • Use unguessable URLs
 • Use a Browser that does not support the redefinition of Array & co,
   currently only FireFox 3.0
 • Don’t return a straight JSON response, prefix it with garbage:




The Rails JavaScript helpers don’t support prefixed JSON responses


                                                                        33
Mass Assignment

User model




                  34
Mass Assignment

Handling in Controller




A malicious user could just submit any value he wants




                                                        35
Mass Assignment

Use `attr_protected` and `attr_accessible`




                       Vs.




Start with `attr_protected` and migrate to `attr_accessible` because of the different
default policies for new attributes.



                                                                                        36
Rails Plugins

Re-using code through plugins is very popular in Rails


Plugins can have their problems too
 • Just because somebody wrote and published a plugin it doesn’t mean the plugin is
   proven to be mature, stable or secure
 • Popular plugins can also have security problems, e.g. restful_authentication
 • Don’t use svn:externals to track external plugins,
   if the plugin’s home page is unavailable you cannot deploy your site




                                                                                      37
Rails Plugins

How to handle plugins
 • Always do a code review of new plugins and look for obvious problems
 • Track plugin announcements
 • Track external sources with Piston, a wrapper around svn:externals




   http://piston.rubyforge.org/



                                                                          38
Rails Denial of Service Attacks

Rails is single-threaded and a typical setup concludes:
 • Limited number of Rails instances
     • ~8 per CPU
     • Even quite active sites (~500.000 PI/day ) use 10-20 CPUs


 • All traffic is handled by Rails




                                                                   39
Rails Denial of Service Attacks

A denial of service attack is very easy if Rails is handling down/uploads.
Just start X (= Rails instances count) simultaneous down/uploads over a throttled line.




This is valid for all slow requests, e.g.
  • Image processing
  • Report generation
  • Mass mailing




                                                                                          40
Rails Slow Request DoS Prevention

 Serve static files directly through the web server
    • Apache, Lighttpd, nginx (use x-sendfile for private files)
    • Amazon S3


 Contaminate slow requests
    • Define several clusters for several tasks
    • Redirect depending on URL




                                                                 41
Conclusion




             42
Conclusion


 Rails has many security features enabled by default
    • SQL quoting
    • HTML sanitization
    • CSRF protection


 The setup can be tricky to get right




 Rails is by no means a “web app security silver bullet” but adding security
  is easy and not a pain like in many other frameworks




                                                                               43
Peritor Wissensmanagement GmbH
Lenbachstraße 2
12157 Berlin
Telefon: +49 (0)30 69 40 11 94
Telefax: +49 (0)30 69 40 11 95
Internet: www.peritor.com
E-Mail: kontakt@peritor.com




                                                             44
©Peritor Wissensmanagement GmbH - Alle Rechte vorbehalten
                                                                  44

More Related Content

What's hot

Ruby On Rails Basics
Ruby On Rails BasicsRuby On Rails Basics
Ruby On Rails BasicsAmit Solanki
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBob Paulin
 
Ruby On Rails Introduction
Ruby On Rails IntroductionRuby On Rails Introduction
Ruby On Rails IntroductionThomas Fuchs
 
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQL
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQLHTTP, JSON, JavaScript, Map&Reduce built-in to MySQL
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQLUlf Wendel
 
Intro to Ruby on Rails
Intro to Ruby on RailsIntro to Ruby on Rails
Intro to Ruby on RailsMark Menard
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax ApplicationsJulien Lecomte
 
Writing & Using Web Services
Writing & Using Web ServicesWriting & Using Web Services
Writing & Using Web ServicesRajarshi Guha
 
Service-Oriented Integration With Apache ServiceMix
Service-Oriented Integration With Apache ServiceMixService-Oriented Integration With Apache ServiceMix
Service-Oriented Integration With Apache ServiceMixBruce Snyder
 
OSGi, Scripting and REST, Building Webapps With Apache Sling
OSGi, Scripting and REST, Building Webapps With Apache SlingOSGi, Scripting and REST, Building Webapps With Apache Sling
OSGi, Scripting and REST, Building Webapps With Apache SlingCarsten Ziegeler
 
Service Oriented Integration With ServiceMix
Service Oriented Integration With ServiceMixService Oriented Integration With ServiceMix
Service Oriented Integration With ServiceMixBruce Snyder
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingRami Sayar
 
Jasig Rubyon Rails
Jasig Rubyon RailsJasig Rubyon Rails
Jasig Rubyon RailsPaul Pajo
 
PLAT-16 Using Enterprise Content in Grails
PLAT-16 Using Enterprise Content in GrailsPLAT-16 Using Enterprise Content in Grails
PLAT-16 Using Enterprise Content in GrailsAlfresco Software
 
An Introduction to Ruby on Rails
An Introduction to Ruby on RailsAn Introduction to Ruby on Rails
An Introduction to Ruby on RailsJoe Fiorini
 

What's hot (20)

Ruby On Rails Basics
Ruby On Rails BasicsRuby On Rails Basics
Ruby On Rails Basics
 
Ugo Cei Presentation
Ugo Cei PresentationUgo Cei Presentation
Ugo Cei Presentation
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache Sling
 
Ruby On Rails Introduction
Ruby On Rails IntroductionRuby On Rails Introduction
Ruby On Rails Introduction
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQL
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQLHTTP, JSON, JavaScript, Map&Reduce built-in to MySQL
HTTP, JSON, JavaScript, Map&Reduce built-in to MySQL
 
Intro to Ruby on Rails
Intro to Ruby on RailsIntro to Ruby on Rails
Intro to Ruby on Rails
 
JavaScript Basics with baby steps
JavaScript Basics with baby stepsJavaScript Basics with baby steps
JavaScript Basics with baby steps
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
Writing & Using Web Services
Writing & Using Web ServicesWriting & Using Web Services
Writing & Using Web Services
 
Service-Oriented Integration With Apache ServiceMix
Service-Oriented Integration With Apache ServiceMixService-Oriented Integration With Apache ServiceMix
Service-Oriented Integration With Apache ServiceMix
 
20jsp
20jsp20jsp
20jsp
 
OSGi, Scripting and REST, Building Webapps With Apache Sling
OSGi, Scripting and REST, Building Webapps With Apache SlingOSGi, Scripting and REST, Building Webapps With Apache Sling
OSGi, Scripting and REST, Building Webapps With Apache Sling
 
Service Oriented Integration With ServiceMix
Service Oriented Integration With ServiceMixService Oriented Integration With ServiceMix
Service Oriented Integration With ServiceMix
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript Debugging
 
Jasig Rubyon Rails
Jasig Rubyon RailsJasig Rubyon Rails
Jasig Rubyon Rails
 
Node.js Express Framework
Node.js Express FrameworkNode.js Express Framework
Node.js Express Framework
 
PLAT-16 Using Enterprise Content in Grails
PLAT-16 Using Enterprise Content in GrailsPLAT-16 Using Enterprise Content in Grails
PLAT-16 Using Enterprise Content in Grails
 
Supa fast Ruby + Rails
Supa fast Ruby + RailsSupa fast Ruby + Rails
Supa fast Ruby + Rails
 
An Introduction to Ruby on Rails
An Introduction to Ruby on RailsAn Introduction to Ruby on Rails
An Introduction to Ruby on Rails
 

Viewers also liked

Max Bolen Resume 12202016
Max Bolen Resume 12202016Max Bolen Resume 12202016
Max Bolen Resume 12202016Max Bolen
 
resume-yifei-wang
resume-yifei-wangresume-yifei-wang
resume-yifei-wangYifei Wang
 
Lainna dobosz resume
Lainna dobosz resumeLainna dobosz resume
Lainna dobosz resumelainnadaz
 
Disaster Survivors Step By Step Action Plan To Find Assistance
Disaster Survivors Step By Step Action Plan To Find AssistanceDisaster Survivors Step By Step Action Plan To Find Assistance
Disaster Survivors Step By Step Action Plan To Find AssistanceHelen Maddox
 
Joanne Holland CV 080916 Public
Joanne Holland CV 080916 PublicJoanne Holland CV 080916 Public
Joanne Holland CV 080916 PublicJoanne Holland
 
Denise Kenney Resume 2016 (public)
Denise Kenney Resume 2016 (public)Denise Kenney Resume 2016 (public)
Denise Kenney Resume 2016 (public)Denise Kenney
 
ACLU Darren Chaker Privacy Brief
ACLU Darren Chaker Privacy BriefACLU Darren Chaker Privacy Brief
ACLU Darren Chaker Privacy BriefDarren Chaker
 
Shelley Lowe's Resume General All Skill Sets (1)
Shelley Lowe's Resume General All Skill Sets (1)Shelley Lowe's Resume General All Skill Sets (1)
Shelley Lowe's Resume General All Skill Sets (1)Shelley Lowe
 
CV Haris Sanahuja (2016)
CV Haris Sanahuja (2016) CV Haris Sanahuja (2016)
CV Haris Sanahuja (2016) Haris Sanahuja
 

Viewers also liked (13)

Oracle Complete Interview Questions
Oracle Complete Interview QuestionsOracle Complete Interview Questions
Oracle Complete Interview Questions
 
Max Bolen Resume 12202016
Max Bolen Resume 12202016Max Bolen Resume 12202016
Max Bolen Resume 12202016
 
resume-yifei-wang
resume-yifei-wangresume-yifei-wang
resume-yifei-wang
 
Lainna dobosz resume
Lainna dobosz resumeLainna dobosz resume
Lainna dobosz resume
 
MadhuMathi Kannan
MadhuMathi KannanMadhuMathi Kannan
MadhuMathi Kannan
 
Josh Merrifield2
Josh Merrifield2Josh Merrifield2
Josh Merrifield2
 
Disaster Survivors Step By Step Action Plan To Find Assistance
Disaster Survivors Step By Step Action Plan To Find AssistanceDisaster Survivors Step By Step Action Plan To Find Assistance
Disaster Survivors Step By Step Action Plan To Find Assistance
 
Resume-Yang
Resume-YangResume-Yang
Resume-Yang
 
Joanne Holland CV 080916 Public
Joanne Holland CV 080916 PublicJoanne Holland CV 080916 Public
Joanne Holland CV 080916 Public
 
Denise Kenney Resume 2016 (public)
Denise Kenney Resume 2016 (public)Denise Kenney Resume 2016 (public)
Denise Kenney Resume 2016 (public)
 
ACLU Darren Chaker Privacy Brief
ACLU Darren Chaker Privacy BriefACLU Darren Chaker Privacy Brief
ACLU Darren Chaker Privacy Brief
 
Shelley Lowe's Resume General All Skill Sets (1)
Shelley Lowe's Resume General All Skill Sets (1)Shelley Lowe's Resume General All Skill Sets (1)
Shelley Lowe's Resume General All Skill Sets (1)
 
CV Haris Sanahuja (2016)
CV Haris Sanahuja (2016) CV Haris Sanahuja (2016)
CV Haris Sanahuja (2016)
 

Similar to Ruby on Rails Security

Ruby On Rails Security 9984
Ruby On Rails Security 9984Ruby On Rails Security 9984
Ruby On Rails Security 9984Dr Rushi Raval
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか  〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか  〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Yuki Okada
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Dynamic Languages & Web Frameworks in GlassFish
Dynamic Languages & Web Frameworks in GlassFishDynamic Languages & Web Frameworks in GlassFish
Dynamic Languages & Web Frameworks in GlassFishIndicThreads
 
Running your Java EE 6 applications in the Cloud
Running your Java EE 6 applications in the CloudRunning your Java EE 6 applications in the Cloud
Running your Java EE 6 applications in the CloudArun Gupta
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011Running your Java EE 6 Apps in the Cloud - JavaOne India 2011
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011Arun Gupta
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
JFokus 2011 - Running your Java EE 6 apps in the Cloud
JFokus 2011 - Running your Java EE 6 apps in the CloudJFokus 2011 - Running your Java EE 6 apps in the Cloud
JFokus 2011 - Running your Java EE 6 apps in the CloudArun Gupta
 
Running your Java EE 6 Applications in the Cloud
Running your Java EE 6 Applications in the CloudRunning your Java EE 6 Applications in the Cloud
Running your Java EE 6 Applications in the CloudArun Gupta
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 

Similar to Ruby on Rails Security (20)

Ruby On Rails Security 9984
Ruby On Rails Security 9984Ruby On Rails Security 9984
Ruby On Rails Security 9984
 
Ruby on-rails-security
Ruby on-rails-securityRuby on-rails-security
Ruby on-rails-security
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか  〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか  〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Dynamic Languages & Web Frameworks in GlassFish
Dynamic Languages & Web Frameworks in GlassFishDynamic Languages & Web Frameworks in GlassFish
Dynamic Languages & Web Frameworks in GlassFish
 
Running your Java EE 6 applications in the Cloud
Running your Java EE 6 applications in the CloudRunning your Java EE 6 applications in the Cloud
Running your Java EE 6 applications in the Cloud
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011Running your Java EE 6 Apps in the Cloud - JavaOne India 2011
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
JFokus 2011 - Running your Java EE 6 apps in the Cloud
JFokus 2011 - Running your Java EE 6 apps in the CloudJFokus 2011 - Running your Java EE 6 apps in the Cloud
JFokus 2011 - Running your Java EE 6 apps in the Cloud
 
Running your Java EE 6 Applications in the Cloud
Running your Java EE 6 Applications in the CloudRunning your Java EE 6 Applications in the Cloud
Running your Java EE 6 Applications in the Cloud
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Web Security
Web SecurityWeb Security
Web Security
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
 

More from Jonathan Weiss

Docker on AWS OpsWorks
Docker on AWS OpsWorksDocker on AWS OpsWorks
Docker on AWS OpsWorksJonathan Weiss
 
ChefConf 2014 - AWS OpsWorks Under The Hood
ChefConf 2014 - AWS OpsWorks Under The HoodChefConf 2014 - AWS OpsWorks Under The Hood
ChefConf 2014 - AWS OpsWorks Under The HoodJonathan Weiss
 
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014AWS OpsWorks & Chef at the Hamburg Chef User Group 2014
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014Jonathan Weiss
 
DevOpsDays Amsterdam - Observations in the cloud
DevOpsDays Amsterdam - Observations in the cloudDevOpsDays Amsterdam - Observations in the cloud
DevOpsDays Amsterdam - Observations in the cloudJonathan Weiss
 
Introduction to Backbone.js
Introduction to Backbone.jsIntroduction to Backbone.js
Introduction to Backbone.jsJonathan Weiss
 
Build your own clouds with Chef and MCollective
Build your own clouds with Chef and MCollectiveBuild your own clouds with Chef and MCollective
Build your own clouds with Chef and MCollectiveJonathan Weiss
 
NoSQL - Motivation and Overview
NoSQL - Motivation and OverviewNoSQL - Motivation and Overview
NoSQL - Motivation and OverviewJonathan Weiss
 
NoSQL - An introduction to CouchDB
NoSQL - An introduction to CouchDBNoSQL - An introduction to CouchDB
NoSQL - An introduction to CouchDBJonathan Weiss
 
Amazon EC2 in der Praxis
Amazon EC2 in der PraxisAmazon EC2 in der Praxis
Amazon EC2 in der PraxisJonathan Weiss
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with ChefJonathan Weiss
 
Rails in the Cloud - Experiences from running on EC2
Rails in the Cloud - Experiences from running on EC2Rails in the Cloud - Experiences from running on EC2
Rails in the Cloud - Experiences from running on EC2Jonathan Weiss
 
CouchDB on Rails - RailsWayCon 2010
CouchDB on Rails - RailsWayCon 2010CouchDB on Rails - RailsWayCon 2010
CouchDB on Rails - RailsWayCon 2010Jonathan Weiss
 
CouchDB on Rails - FrozenRails 2010
CouchDB on Rails - FrozenRails 2010CouchDB on Rails - FrozenRails 2010
CouchDB on Rails - FrozenRails 2010Jonathan Weiss
 
NoSQL - Post-Relational Databases - BarCamp Ruhr3
NoSQL - Post-Relational Databases - BarCamp Ruhr3NoSQL - Post-Relational Databases - BarCamp Ruhr3
NoSQL - Post-Relational Databases - BarCamp Ruhr3Jonathan Weiss
 

More from Jonathan Weiss (20)

Docker on AWS OpsWorks
Docker on AWS OpsWorksDocker on AWS OpsWorks
Docker on AWS OpsWorks
 
ChefConf 2014 - AWS OpsWorks Under The Hood
ChefConf 2014 - AWS OpsWorks Under The HoodChefConf 2014 - AWS OpsWorks Under The Hood
ChefConf 2014 - AWS OpsWorks Under The Hood
 
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014AWS OpsWorks & Chef at the Hamburg Chef User Group 2014
AWS OpsWorks & Chef at the Hamburg Chef User Group 2014
 
DevOpsDays Amsterdam - Observations in the cloud
DevOpsDays Amsterdam - Observations in the cloudDevOpsDays Amsterdam - Observations in the cloud
DevOpsDays Amsterdam - Observations in the cloud
 
Amazon SWF and Gordon
Amazon SWF and GordonAmazon SWF and Gordon
Amazon SWF and Gordon
 
Introduction to Backbone.js
Introduction to Backbone.jsIntroduction to Backbone.js
Introduction to Backbone.js
 
Scalarium and CouchDB
Scalarium and CouchDBScalarium and CouchDB
Scalarium and CouchDB
 
Build your own clouds with Chef and MCollective
Build your own clouds with Chef and MCollectiveBuild your own clouds with Chef and MCollective
Build your own clouds with Chef and MCollective
 
NoSQL - Motivation and Overview
NoSQL - Motivation and OverviewNoSQL - Motivation and Overview
NoSQL - Motivation and Overview
 
NoSQL - An introduction to CouchDB
NoSQL - An introduction to CouchDBNoSQL - An introduction to CouchDB
NoSQL - An introduction to CouchDB
 
Running on Amazon EC2
Running on Amazon EC2Running on Amazon EC2
Running on Amazon EC2
 
Amazon EC2 in der Praxis
Amazon EC2 in der PraxisAmazon EC2 in der Praxis
Amazon EC2 in der Praxis
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with Chef
 
Rails in the Cloud
Rails in the CloudRails in the Cloud
Rails in the Cloud
 
EventMachine
EventMachineEventMachine
EventMachine
 
CouchDB on Rails
CouchDB on RailsCouchDB on Rails
CouchDB on Rails
 
Rails in the Cloud - Experiences from running on EC2
Rails in the Cloud - Experiences from running on EC2Rails in the Cloud - Experiences from running on EC2
Rails in the Cloud - Experiences from running on EC2
 
CouchDB on Rails - RailsWayCon 2010
CouchDB on Rails - RailsWayCon 2010CouchDB on Rails - RailsWayCon 2010
CouchDB on Rails - RailsWayCon 2010
 
CouchDB on Rails - FrozenRails 2010
CouchDB on Rails - FrozenRails 2010CouchDB on Rails - FrozenRails 2010
CouchDB on Rails - FrozenRails 2010
 
NoSQL - Post-Relational Databases - BarCamp Ruhr3
NoSQL - Post-Relational Databases - BarCamp Ruhr3NoSQL - Post-Relational Databases - BarCamp Ruhr3
NoSQL - Post-Relational Databases - BarCamp Ruhr3
 

Recently uploaded

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Recently uploaded (20)

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

Ruby on Rails Security

  • 1. Ruby on Rails Security Jonathan Weiss, 30.12.2007 Peritor Wissensmanagement GmbH
  • 2. Who am I ? Jonathan Weiss • Consultant for Peritor Wissensmanagement GmbH • Specialized in Rails, Scaling, and Code Review • Active member of the Rails community • MeinProf.de - one of the first big German Rails sites • Webistrano - Rails deployment tool • FreeBSD Rubygems and Ruby on Rails maintainer 2
  • 3. Agenda Follow the application stack and look for Setup and deployment • Information leaks Application code • Possible vulnerabilities • Best practices Framework code Rails Application Stack 3 3
  • 6. Rails Setup - FastCGI 6
  • 7. Rails Setup - Mongrel 7
  • 8. Information leaks and possible vulnerabilities 8
  • 9. Information leaks Is the target application a Rails application? • Default setup for static files: /javascripts/application.js /stylesheets/application.css /images/foo.png • Pretty URLs /project/show/12 /message/create /folder/delete/43 /users/83 9
  • 10. Information leaks Is the target application a Rails application? • Rails provides default templates for 404 and 500 status pages • Different Rails versions use different default pages • 422.html only present in applications generated with Rails 2.0 10
  • 11. Sample Status Pages http://www.twitter.com/500.html http://www.43people.com/500.html http://www.strongspace.com/500.html Rails >= 1.2 status 500 page 11
  • 12. Server Header GET http://www.43people.com Date: Tue, 25 Dec 2007 21:23:24 GMT Server: Apache/1.3.34 (Unix) mod_deflate/1.0.21 mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e-p1 Cache-Control: no-cache … GET https://signup.37signals.com/highrise/solo/signup/new Date: Tue, 25 Dec 2007 21:23:24 GMT Server: Mongrel 1.1.1Status: 200 OK … Disable Server header # httpd.conf Header unset Server 12
  • 13. Information leaks Subversion metadata • Typically Rails applications are deployed with Capistrano / Webistrano • This will push .svn directories to the servers GET http://www.strongspace.com/.svn/entries … dir 25376 http://svn.joyent.com/joyent/deprecated_repositories/www.strongspace/trunk/public http://svn.joyent.com/joyent Prevent .svn download 2006-04-14T03:06:39.902218Z <DirectoryMatch quot;^/.*/.svn/quot;> 34 ErrorDocument 403 /404.html Order allow,deny justin@joyent.com Deny from all … Satisfy All </DirectoryMatch> 13
  • 14. Cookie Session Storage Since Rails 2.0 by default the session data is stored in the cookie Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA) 14
  • 15. Cookie Session Storage Security implications • The user can view the session data in plain text • The HMAC can be brute-forced and arbitrary session data could be created • Replay attacks are easier as you cannot flush the client-side session Countermeasures • Don’t store important data in the session! • Use a strong password, Rails already forces at least 30 characters • Invalidate sessions after certain time on the server side … or just switch to another session storage 15
  • 16. Cookie Session Storage Rails default session secret Set HTTPS only cookies 16
  • 17. Cross-Site Scripting - XSS “The injection of HTML or client-side Scripts (e.g. JavaScript) by malicious users into web pages viewed by other users.” 17
  • 18. Cross-Site Scripting - XSS Cases of accepted user input • No formatting allowed search query, user name, post title, … • Formatting allowed post body, wiki page, … 18
  • 19. XSS - No Formatting Allowed Use the Rails `h()` helper to HTML escape user input But using `h()` everywhere is easy to forget • Use safeERB plugin • safeERB will raise an exception whenever a tainted string is not escaped • Explicitly untaint string in order to not escape it http://agilewebdevelopment.com/plugins/safe_erb 19
  • 20. XSS - Formatting Allowed Two approaches Use custom tags that will translate to HTML (vBulletin tags, RedCloth, Textile, …) Use HTML and remove unwanted tags and attributes • Blacklist - Rails 1.2 • Whitelist - Rails 2.0 20
  • 21. XSS - Custom Tags Relying on the external syntax is not really secure Filter HTML anyhow 21
  • 22. XSS - HTML Filtering Use the Rails `sanitize()` helper Only effective with Rails 2.0: • Filters HTML nodes and attributes • Removes protocols like “javascript:” • Handles unicode/ascii/hex hacks 22
  • 23. XSS - HTML Filtering sanitize(html, options = {}) http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html 23
  • 24. XSS - HTML Filtering Utilize Tidy if you want to be more cautious 24
  • 25. Session Fixation Provide the user with a session that he shares with the attacker: 25
  • 26. Session Fixation Rails uses only cookie-based sessions Still, you should reset the session after a login The popular authentication plugins like restful_authentication are not doing this! 26
  • 27. Cross-Site Request Forgery - CSRF You visit a malicious site which has an image like this Only accepting POST does not really help 27
  • 28. CSRF Protection in Rails By default Rails 2.0 will check all POST requests for a session token All forms generated by Rails will supply this token 28
  • 29. CSRF Protection in Rails Very useful and on-by-default, but make sure that • GET requests are safe and idempotent • Session cookies are not persistent (expires-at) 29
  • 30. SQL Injection The users input is not correctly escaped before using it in SQL statements 30
  • 31. SQL Injection Protection in Rails Always use the escaped form If you have to manually use a user-submitted value, use `quote()` 31
  • 32. JavaScript Hijacking http://my.evil.site/ JSON response The JSON response will be evaled by the Browser’s JavaScript engine. With a redefined `Array()` function this data can be sent back to http://my.evil.site 32
  • 33. JavaScript Hijacking Prevention • Don’t put important data in JSON responses • Use unguessable URLs • Use a Browser that does not support the redefinition of Array & co, currently only FireFox 3.0 • Don’t return a straight JSON response, prefix it with garbage: The Rails JavaScript helpers don’t support prefixed JSON responses 33
  • 35. Mass Assignment Handling in Controller A malicious user could just submit any value he wants 35
  • 36. Mass Assignment Use `attr_protected` and `attr_accessible` Vs. Start with `attr_protected` and migrate to `attr_accessible` because of the different default policies for new attributes. 36
  • 37. Rails Plugins Re-using code through plugins is very popular in Rails Plugins can have their problems too • Just because somebody wrote and published a plugin it doesn’t mean the plugin is proven to be mature, stable or secure • Popular plugins can also have security problems, e.g. restful_authentication • Don’t use svn:externals to track external plugins, if the plugin’s home page is unavailable you cannot deploy your site 37
  • 38. Rails Plugins How to handle plugins • Always do a code review of new plugins and look for obvious problems • Track plugin announcements • Track external sources with Piston, a wrapper around svn:externals http://piston.rubyforge.org/ 38
  • 39. Rails Denial of Service Attacks Rails is single-threaded and a typical setup concludes: • Limited number of Rails instances • ~8 per CPU • Even quite active sites (~500.000 PI/day ) use 10-20 CPUs • All traffic is handled by Rails 39
  • 40. Rails Denial of Service Attacks A denial of service attack is very easy if Rails is handling down/uploads. Just start X (= Rails instances count) simultaneous down/uploads over a throttled line. This is valid for all slow requests, e.g. • Image processing • Report generation • Mass mailing 40
  • 41. Rails Slow Request DoS Prevention Serve static files directly through the web server • Apache, Lighttpd, nginx (use x-sendfile for private files) • Amazon S3 Contaminate slow requests • Define several clusters for several tasks • Redirect depending on URL 41
  • 43. Conclusion Rails has many security features enabled by default • SQL quoting • HTML sanitization • CSRF protection The setup can be tricky to get right Rails is by no means a “web app security silver bullet” but adding security is easy and not a pain like in many other frameworks 43
  • 44. Peritor Wissensmanagement GmbH Lenbachstraße 2 12157 Berlin Telefon: +49 (0)30 69 40 11 94 Telefax: +49 (0)30 69 40 11 95 Internet: www.peritor.com E-Mail: kontakt@peritor.com 44 ©Peritor Wissensmanagement GmbH - Alle Rechte vorbehalten 44